Researcher of the leak. I got a question from NOS to test the security of a 6-length short code link (<a href="https://www.klm.nl/s/xxxxxx" rel="nofollow noreferrer">https://www.klm.nl/s/xxxxxx</a>) used in text messages. I've tested two ranges (FAbxxx and KLmxxx), which gave a consistent 1% hit ratio of customer data (57% Air France, 43% KLM), NOS tested a smaller size random set (and got about 0.5%), 62^6*0.01=568 million. It was probably base64url (we now know - was also used, not yet got a _ confirmation).<p>Original posting of Dutch article: <a href="https://news.ycombinator.com/item?id=38681302">https://news.ycombinator.com/item?id=38681302</a>